Skip to main content
Splunk Lantern is currently being updated. If you notice anything unusual, it should resolve soon, but you can always report issues on our Community Slack. Thank you for your patience.

Click for Slack
Lantern Home

 

Splunk Lantern

Splunk over IPv6 Runbook for Splunk Enterprise Customers

  1. Last updated
  2. Save as PDF

 

This article provides step-by-step instructions on enabling the IPv6 traffic in a DualStack mode for Splunk Enterprise deployments.

Prerequisites

If you use Splunk ITSI or Splunk Enterprise Security, you might need to update your Splunk Enterprise version. Work with your Solution Engineer to determine if this applies to you before completing the following procedure.

In addition, you will need to upgrade the premium applications to the following versions.

IPv6 is not supported on any other Splunk premium apps.

Procedure 

  1. Contact your network administrator to let them know you want to enable IPv6 traffic in a DualStack mode for Splunk Enterprise. Reach out to your Splunk Solution Engineer or Regional Sales Manager for guidance if needed.
  2. Work with your Solution Engineer to assess readiness, considering third-party integrations, Splunkbase apps, and network customizations.
  3. Reserve IPv6 addresses for Splunk deployments.
  4. Update your firewall rules to let IPv6 traffic flow from and to Splunk Enterprise.

    You might need to go through a multi-step compliance process to update the firewall.

  5. Follow the steps described in Configure Splunk Enterprise for IPv6. Additional helpful resources are:
  6. Splunk recommends that you keep your IPv4 addresses and IPv4 firewall rules so that in case of any issues with IPv6, the traffic will fall back to IPv4, and thanks to the DualStack mode, no data will be lost. This will ensure a smooth transition period. You can later turn off IPv4 traffic to achieve an IPv6-only setup. While doing so, remember to allowlist IPv6 subnets in the Admin Config Service to make the connection to Search Head, Input Data Manager, HTTP Event Collector (HEC), and via the Splunk-to-Splunk (S2S) protocol possible. You must do this first from your IPv4 subnets before you cut over to avoid losing access.